Sounds like a Job for GPO's, and IPSEC Filters. Use the GPO's to enforce Account Policies, and to set local admin passwords. 3rd Party - ADD-ons to GPO's give you even more power to control configurations as well. Like the ability to push certain files to machines.
Use the IPSEC Filter to only allow your DC's and a management station to have file and print access to the workstations. I am leery of disabling File and Print because it blocks your ability to remotely manage machines. There was an article out that discussed how you could create a poor admins version of a spyware removal tool and use GPO's to enforce it. I will look around to see if I can relocated it. Todd Myrick MS MVP -----Original Message----- From: John Singler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 02, 2005 11:43 AM To: [email protected] Subject: Re: [ActiveDir] worm/bot issues blank admin passwords are wrong. very very wrong. evil wrong. you can use pspasswd from sysinternals to change the local admin password on remote boxes (not sure if the traffic is encrypted and if so what the encryption is. at some point i think i asked them and they said "it is encrypted" but they didn't say how/what). this should prob be top priority for you, IMO. good luck, john Kern, Tom wrote: > > I know you can force password complexity but is there a way to globally > change all the local admin account passwords to something complex via a > gpo or logon script? > these pc's were set up by the help desk staff and i know they just use > blank admin passwords when setting up a pc because these accounts are > never used and if a help desk admin has to boot a pc into safe mode, > they don't have to remeber 500 diff passwords. > > also, if my virus defs are up to date and my patches are as well, > shouldn't a worm just be killed or ineffective? > thanks > > -----Original Message----- > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > *Sent:* Wednesday, March 02, 2005 11:14 AM > *To:* [email protected] > *Subject:* RE: [ActiveDir] worm/bot issues > > Do those users have weak/blank passwords? Do the admin accounts (or > other accounts) on those systems have similarly insecure passwords? > You may be looking at a dictionary-packing worm, and no virus-def > can help you if that is so - unless, of course, you secure the > passwords. > > > > HTH > > > > Deji > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Wednesday, March 02, 2005 7:51 AM > To: ActiveDir (E-mail) > Subject: [ActiveDir] worm/bot issues > > > > Hi all, i have users that keep getting infected with a worm Symantec > calls "W32.Spybot.KHO". The thing keeps coming back unless you > disable file and print sharing. > > The thing I don't understand is that all my clients(winxp) virus > defs are up to date and they are all patched. I use SUS and push out > patches on a regular basis. I even ran MS baseline security analyzer > on the infected boxes and they come up good for up to datedness. > > I don't really understand how an up to date patched pc can become > infected over and over. > > according to Symantec, the holes that this thing exploits, i've had > covered awhile ago. > > is it possible to be patched and up to date and STILL get infected? > > is there anyway out of this quagmire? > > thanks > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
